mohd7469 / oauth2orize-openid-examples Goto Github PK

To my understanding, when using Authorization Code flow with OIDC, beside generating an access_token and an optional refresh_token, it is mandatory to generate a JWT id_token.

Current exchange does not support that :

server.exchange(oauth2orize.exchange.code(function(client, code, redirectURI, done) {
  db.authorizationCodes.find(code, function(err, authCode) {
    if (err) { return done(err); }
    if (client.id !== authCode.clientID) { return done(null, false); }
    if (redirectURI !== authCode.redirectURI) { return done(null, false); }
    
    var token = utils.uid(256)
    db.accessTokens.save(token, authCode.userID, authCode.clientID, function(err) {
      if (err) { return done(err); }
      done(null, token);
    });
  });
}));

https://github.com/gerges-beshay/oauth2orize-openid-examples/blob/master/oauth2.js#L173

I think it is required to modify two functions - the code grant, to save the scope with authorizationCodes, and the token callback to something like

var params;
if (hasScope(scope, 'openid'){
  params = {
    id_token : //JWT
  };
}

done(null, token,refreshToken, params);

If you are okay with my proposed solution I might be able to send a pull request

I believe it is critical to include an example of JWT id_token generation since OIDC id_tokens are all about JWT as far as I get it from the specs.
So it would be nice to get an example of best practices and recommended modules to use for generating a JWT id_token.

Currently, all OIDC extensions in the example leave the id_token generation up to the user. Which to my opinion is confusing

server.grant(oauth2orize_ext.grant.idToken(function(client, user, done){
  var id_token;
  // Do your lookup/token generation.
  // ... id_token =

  done(null, id_token);
}));

https://github.com/gerges-beshay/oauth2orize-openid-examples/blob/master/oauth2.js#L43

This and the other oauth2orize examples are not using up to date versions of dependencies.